From My Porch I Can See Identity Thieves

Posted by Ray Eldard on October 22, 2008

Everyone saw it coming the moment she was announced as John McCain’s running mate. It didn’t matter if you knew nothing else about Gov. Sarah Palin, the moment you saw her you knew this: Tina Fey would be playing her on SNL. The resemblance is uncanny, the impression hilarious, and even though you can’t seriously classify Fey’s caricature of Palin as identity theft, what happened to Palin’s Yahoo Mail account may be.

Using social engineering, hackers exploited known weaknesses in Yahoo Mail’s password-recovery feature. What is social engineering? Social engineering is the term used to describe when we use social skills, like lying, deception and persuasion, to manipulate people into doing what we want or giving out confidential information. Online, it usually refers to someone posing as a legitimate user in order to gain privileged information like passwords or usernames.

How did they get Palin? Like most web accounts, Yahoo allows you to reset or recover your username and password. Usually this is allowed after you’ve provided personal information that would identify you as the authorized user. How hard was it to get into Palin’s email account?

According to published news reports:

  • It took just 15 seconds on Wikipedia to answer the prompt for Palin’s birthdate
  • The prompt for a ZIP code took little more time considering Wasilla, Alaska, only has two
  • Palin’s personal security question, ‘Where did you meet your spouse?’ took a few attempts before the correct answer was successfully guessed: Wasilla High School.

I’m not well known like Palin, but it still won’t take much more time to learn that I was born in Brooklyn, NY or that my mom’s maiden name was Beck. I went to a lot more grade schools than the average person, so that may slow you down a little, but once you realize my childhood hero was Batman, I’m screwed.

The problem for Palin is that her personal information is, well, public. The problem for the rest of us is that even for a relatively unsophisticated identity thief, ours is too.

Learn more about Lifelock Enrollment

Leave a Reply